mm/mempolicy.c: fix error handling in set_mempolicy and mbind (CVE-2017-7616)

debian/changelog

@@ -19,6 +19,8 @@ linux (4.9.18-2) UNRELEASED; urgency=medium
   * ping: implement proper locking (CVE-2017-2671)
   * fscrypt: remove broken support for detecting keyring key revocation
     (CVE-2017-7374)
+  * mm/mempolicy.c: fix error handling in set_mempolicy and mbind
+    (CVE-2017-7616)
 
  -- Ben Hutchings <ben@decadent.org.uk>  Thu, 30 Mar 2017 18:27:30 +0100
 

debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch

@@ -0,0 +1,76 @@
+From: Chris Salls <salls@cs.ucsb.edu>
+Date: Fri, 7 Apr 2017 23:48:11 -0700
+Subject: mm/mempolicy.c: fix error handling in set_mempolicy and mbind.
+Origin: https://git.kernel.org/linus/cf01fb9985e8deb25ccf0ea54d916b8871ae0e62
+
+In the case that compat_get_bitmap fails we do not want to copy the
+bitmap to the user as it will contain uninitialized stack data and leak
+sensitive data.
+
+Signed-off-by: Chris Salls <salls@cs.ucsb.edu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ mm/mempolicy.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/mm/mempolicy.c b/mm/mempolicy.c
+index 75b2745..37d0b33 100644
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -1529,7 +1529,6 @@ COMPAT_SYSCALL_DEFINE5(get_mempolicy, int __user *, policy,
+ COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask,
+ 		       compat_ulong_t, maxnode)
+ {
+-	long err = 0;
+ 	unsigned long __user *nm = NULL;
+ 	unsigned long nr_bits, alloc_size;
+ 	DECLARE_BITMAP(bm, MAX_NUMNODES);
+@@ -1538,14 +1537,13 @@ COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask,
+ 	alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
+ 
+ 	if (nmask) {
+-		err = compat_get_bitmap(bm, nmask, nr_bits);
++		if (compat_get_bitmap(bm, nmask, nr_bits))
++			return -EFAULT;
+ 		nm = compat_alloc_user_space(alloc_size);
+-		err |= copy_to_user(nm, bm, alloc_size);
++		if (copy_to_user(nm, bm, alloc_size))
++			return -EFAULT;
+ 	}
+ 
+-	if (err)
+-		return -EFAULT;
+-
+ 	return sys_set_mempolicy(mode, nm, nr_bits+1);
+ }
+ 
+@@ -1553,7 +1551,6 @@ COMPAT_SYSCALL_DEFINE6(mbind, compat_ulong_t, start, compat_ulong_t, len,
+ 		       compat_ulong_t, mode, compat_ulong_t __user *, nmask,
+ 		       compat_ulong_t, maxnode, compat_ulong_t, flags)
+ {
+-	long err = 0;
+ 	unsigned long __user *nm = NULL;
+ 	unsigned long nr_bits, alloc_size;
+ 	nodemask_t bm;
+@@ -1562,14 +1559,13 @@ COMPAT_SYSCALL_DEFINE6(mbind, compat_ulong_t, start, compat_ulong_t, len,
+ 	alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
+ 
+ 	if (nmask) {
+-		err = compat_get_bitmap(nodes_addr(bm), nmask, nr_bits);
++		if (compat_get_bitmap(nodes_addr(bm), nmask, nr_bits))
++			return -EFAULT;
+ 		nm = compat_alloc_user_space(alloc_size);
+-		err |= copy_to_user(nm, nodes_addr(bm), alloc_size);
++		if (copy_to_user(nm, nodes_addr(bm), alloc_size))
++			return -EFAULT;
+ 	}
+ 
+-	if (err)
+-		return -EFAULT;
+-
+ 	return sys_mbind(start, len, mode, nm, nr_bits+1, flags);
+ }
+ 
+-- 
+2.1.4
+

debian/patches/series

@@ -132,6 +132,7 @@ bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
 bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
 bugfix/all/ping-implement-proper-locking.patch
 bugfix/all/fscrypt-remove-broken-support-for-detecting-keyring-.patch
+bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch